Network security system including a multi-dimensional domain name system to protect against cybersecurity threats

ABSTRACT

A method performed by a security system that can analyze a vulnerability or a risk applicable to a network entity to identify a cybersecurity threat and associated risk level. The security system can store indications of cybersecurity threats and risk levels in a database of a Domain Name System (DNS). The security system can monitor and resolve network traffic to determine IP addresses or URLs associated with the cybersecurity threats. The security system stores a map of the cybersecurity threats and IP addresses or URLs such that the security system can protect a network entity by processing network traffic to sources or destinations of network traffic that can harm particular network entities, and execute personalized security procedures to protect the network entities.

BACKGROUND

In telecommunications, 5G is the fifth generation technology standardfor cellular networks, the successor to 4G networks, which provideconnectivity to most current mobile phones. Like its predecessors, theservice area of 5G networks is divided into geographical areas calledcells. The wireless devices in a cell are connected to internet andtelephone networks by radio waves through a local antenna in the cell. Amain advantage of 5G networks is greater bandwidth, yielding higherdownload speeds, eventually up to 10 gigabits per second (Gbit/s). Dueto the increased bandwidth, 5G networks can also serve as generalinternet service providers (ISPs) and will make possible newapplications in internet-of-things (IoT) and machine-to-machine (M2M)areas.

5G introduces a new era of cybersecurity threats because, among otherthings, it enables communications and access of vastly higher volumesand types of data relative to prior generation technologies, and thusbroadens the possibility of cyberattacks. For example, the risk of databreaches or leaks of personal data can increase because user credentialsthat are readily communicated on networks can be stolen and used to gainaccess to private information available through applications andservices. Thus, victims can readily have their personal or privateinformation like social security numbers, addresses, date of births,driver license numbers, and other personal data compromised.

Although most interconnected devices on networks are safe, dependable,and reliable, 5G wireless networks create a greater number ofvulnerabilities to, for example, malware compared to other communicationnetworks. Malware refers to any software that is intentionally designedto cause damage to a computer, server, client, or network. A widevariety of malware types exist, including viruses, worms, Trojan horses,ransomware, spyware, adware, rogue software, and scareware. Thesevulnerabilities and others cannot be addressed with conventionaltechniques because deployment of security resources across a massivelydiverse network of devices is cost-prohibitive, resource intensive, andimpractical. Thus, effective targeted safeguards for 5G networks aredesirable.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present technology will be described and explainedthrough the use of the accompanying drawings.

FIG. 1 is a block diagram that illustrates a wireless communicationssystem.

FIG. 2 is a block diagram that illustrates an architecture of networkfunctions of a 5G network that can implement aspects of the presenttechnology.

FIG. 3 is a flowchart that illustrates a method performed by a securitysystem to prevent cyberattacks on a personalized basis.

FIG. 4 is a flow diagram that illustrates a method performed by asecurity system including a multi-dimensional Domain Name System (DNS)to prevent cyberattacks to network entities.

FIG. 5 is a block diagram that illustrates an example of a computingsystem in which at least some operations described herein can beimplemented.

Various features of the technologies described herein will become moreapparent to those skilled in the art from a study of the DetailedDescription in conjunction with the drawings. Embodiments areillustrated by way of example and not limitation in the drawings, inwhich like references may indicate similar elements. While the drawingsdepict various embodiments for the purpose of illustration, thoseskilled in the art will recognize that alternative embodiments may beemployed without departing from the principles of the technologies.Accordingly, while specific embodiments are shown in the drawings, thetechnology is amenable to various modifications.

DETAILED DESCRIPTION

The disclosed technologies relate to security systems of wirelessnetworks. Aspects include a technology for providing personalizedprotection for network entities from cybersecurity threats with digitalon-demand coupons that can be redeemed for targeted safeguards thatprotect against certain vulnerabilities or risks. An example of anetwork entity includes a single or group of one or more wirelessdevices that are serviced by a wireless network. Another aspect includesa service to mitigate cyberattacks with a multi-dimensional Domain NameSystem (DNS) that maps network entities and cybersecurity threats to IPaddresses or Uniform Resource Locators (URLs). These technologies can beimplemented in networks such as 5G telecommunications networks, whichexperience malicious activity due to voluminous network traffic ofdiverse sources.

A coupon can be embodied as an electronic voucher that entitles anetwork entity to a service or resource that safeguards against avulnerability or risk. The coupon can be “hot,” which refers to theimmediacy of the cybersecurity threat posed to a network entity. Forexample, an active cybersecurity threat is “hot” whereas the possibilityof a cybersecurity threat is not hot. Thus, the coupons can providepersonalized protection from cyberattacks, which addresses the uniquevulnerabilities or risks of a network entity from external sources. Thevulnerabilities or risks can be determined by analyzing, for example,user-specific information (e.g., age), user preferences, network nodesaccesses, network resources accessed, and contextual information (e.g.,time of day, location). For example, a wireless device is morevulnerable to cybersecurity threats if operated by a teenager searchingthe Internet at night, at a concert, or when using device-to-devicecommunications. The cybersecurity threats can be associated with risklevels based on, for example, most frequently encountered (MFE) or morerecently encountered (MRE) cybersecurity threats (e.g., across all orsimilar network entities.

Once the security system identifies a cybersecurity threat to a networkentity, the security system can generate a coupon on-demand, whichoffers protection against the identified cybersecurity threat inexchange for a fee. A coupon can have various security and usabilityfeatures. For example, a coupon can expire if not redeemed within athreshold time period or expire after a trial period. The securitysystem can generate and/or send a coupon as an offer to a network entitybased on contextual information (e.g., location of user) and userpreferences (e.g., user has identified a concern about a cybersecuritythreat when the user's wireless device is in certain locations).Examples of other security and usability features include acryptographic key, globally unique ID (GUID), or link to cloud-basedresources that are accessible to address a cybersecurity issue. Shouldthe user, via the network entity, accept the coupon and pay the fee, thesecurity system deploys resources to protect the network entity againstthe cybersecurity threat. For example, the security system can cause awireless device to install software (e.g., a security application) on awireless device of the network entity or inspect certain network trafficof the network entity.

The security system can construct the multi-dimensional DNS to identifycybersecurity threats and control actions that protect network entitiesagainst those cybersecurity threats. For example, the security systemcan analyze vulnerabilities of network entities and risks that areexternal to the network entities, to identify cybersecurity threatsspecific to the network entities. The security system can also determinerisk levels of the cybersecurity threats and store indications of thecybersecurity threats and risk levels in a database of the DNS (creatinga multi-dimensional data structure). The security system can thenmonitor network traffic for cybersecurity threats and, once detected,map the cybersecurity threats to IP addresses or URLs associated withthe network traffic. Thereafter, the security system can protect networkentities from cybersecurity threats by monitoring network traffic thatis routed over the network, to or from the IP addresses or the URLsassociated with cybersecurity threats. An additional way in which thesecurity system can protect network entities is to categorize networktraffic according to risk levels, dynamically slice the network based onthe risk levels, and direct the network traffic to network slices withmatching risk levels.

The technologies can thus safeguard a network entity with personalizedand targeted techniques to deploy security resources on-demand when acybersecurity threat is detected. Additional techniques are described inthe assignee's related applications including U.S. patent applicationSer. No. 17/035,419, filed Sep. 28, 2020, titled “Digital On-DemandCoupons for Security Service of Communications System,” U.S. patentapplication Ser. No. 17/021,870, filed Sep. 15, 2020, titled “VisualVoicemail Centralized Authentication System for Wireless Networks,” U.S.patent application Ser. No. 16/945,592, filed Jul. 31, 2020, titled“Cached Entity Profiles at Network Access Nodes to Re-AuthenticateNetwork Entities,” U.S. patent application Ser. No. 16/945,637, filedJul. 31, 2020, titled “Connectivity Scheduler for NB-IOT Devices,” U.S.patent application Ser. No. 17/007,782, filed Aug. 31, 2020, titled“Wireless Network That Discovers Hotspots for Cyberattacks Based onSocial Media Data,” U.S. patent application Ser. No. 16/849,158, filedApr. 15, 2020, titled “On-Demand Security Layer for a 5G WirelessNetwork,” and U.S. patent application Ser. No. 16/921,765, filed Jul. 6,2020, titled “Security System for Managing 5G Network Traffic,” each ofwhich are incorporated by reference in their entireties for allpurposes.

Wireless Communications System

FIG. 1 is a block diagram that illustrates a wireless telecommunicationsystem 100 (“system 100”) in which aspects of the disclosed technologyare incorporated. The system 100 includes base stations 102-1 through102-4 (also referred to individually as “base station 102” orcollectively as “base stations 102”). A base station is a type ofnetwork access node (NAN) that can also be referred as a cell site, abase transceiver station, or a radio base station. The system 100 caninclude any combination of NANs including an access point, a radiotransceiver, a gNodeB (gNB), NodeB, eNodeB (eNB), Home NodeB, a HomeeNodeB, or the like. In addition to being a WWAN base station, a NAN canbe a WLAN access point, such as an IEEE 802.11 access point.

The NANs of a network formed by the system 100 also includes wirelessdevices 104-1 through 104-8 (referred to individually as “wirelessdevice 104” or collectively as “wireless devices 104”) and a corenetwork 106. The wireless devices 104-1 through 104-8 can correspond toor include network entities that are capable of communication usingvarious connectivity standards. For example, a 5G communication channelcan use millimeter waver (mmW) access frequencies of 28 GHz or more. Insome implementations, the wireless device 104 can operatively couple toa base station 102 over an LTE/LTE-A communication channel, which isreferred to as a 4G communication channel.

The core network 106 can provide, manage, or control security services,user authentication, access authorization, tracking, Internet Protocol(IP) connectivity, and other access, routing, or mobility functions. Thebase stations 102 interface with the core network 106 through a firstset of backhaul links 108 (e.g., S1 interfaces) and can perform radioconfiguration and scheduling for communication with the wireless devices104 or can operate under the control of a base station controller (notshown). In some examples, the base stations 102 can communicate, eitherdirectly or indirectly (e.g., through the core network 106), with eachother over a second set of backhaul links 110-1 through 110-3 (e.g., X1interfaces), which can be wired or wireless communication links.

The base stations 102 can wirelessly communicate with the wirelessdevices 104 via one or more base station antennas. The cell sites canprovide communication coverage for geographic coverage areas 112-1through 112-4 (also referred to individually as “coverage area 112” orcollectively as “coverage areas 112”). The geographic coverage area 112for a base station 102 can be divided into sectors making up only aportion of the coverage area (not shown). The system 100 can includebase stations of different types (e.g., macro and/or small cell basestations). In some implementations, there can be overlapping geographiccoverage areas 112 for different service environments (e.g.,Internet-of-Things (IOT), mobile broadband (MBB), vehicle-to-everything(V2X), machine-to-machine (M2M), machine-to-everything (M2X),ultra-reliable low-latency communication (URLLC), machine-typecommunication (MTC)).

In some examples, the system 100 can include a 5G network and/or anLTE/LTE-A network. In an LTE/LTE-A network, the term eNB is used todescribe the base stations 102 and, in 5G or new radio (NR) networks,the term gNBs is used to describe the base stations 102 that include mmWcommunications. The system 100 can form a heterogeneous network in whichdifferent types of base stations provide coverage for variousgeographical regions. For example, each base station 102 can providecommunication coverage for a macro cell, a small cell, and/or othertypes of cells. As used herein, the term “cell” can relate to a basestation, a carrier or component carrier associated with the basestation, or a coverage area (e.g., sector) of a carrier or base station,depending on context.

A macro cell generally covers a relatively large geographic area (e.g.,several kilometers in radius) and can allow unrestricted access bywireless devices with service subscriptions with the network provider.As indicated earlier, a small cell is a lower-powered base station, ascompared with a macro cell, and can operate in the same or different(e.g., licensed, unlicensed) frequency bands as macro cells. Examples ofsmall cells include pico cells, femto cells, and micro cells. Ingeneral, a pico cell can cover a relatively smaller geographic area andcan allow unrestricted access by wireless devices with servicesubscriptions with the network provider. A femto cell covers arelatively small geographic area (e.g., a home) and can providerestricted access by wireless devices having an association with thefemto cell (e.g., wireless devices in a closed subscriber group (CSG),wireless devices for users in the home). A base station can support oneor multiple (e.g., two, three, four, and the like) cells (e.g.,component carriers). All fixed transceivers noted herein that canprovide access to the network are NANs, including small cells.

The communication networks that accommodate various disclosed examplescan be packet-based networks that operate according to a layeredprotocol stack. In the user plane, communications at the bearer orPacket Data Convergence Protocol (PDCP) layer can be IP-based. A RadioLink Control (RLC) layer then performs packet segmentation andreassembly to communicate over logical channels. A Medium Access Control(MAC) layer can perform priority handling and multiplexing of logicalchannels into transport channels. The MAC layer can also use Hybrid ARQ(HARQ) to provide retransmission at the MAC layer, to improve linkefficiency. In the control plane, the Radio Resource Control (RRC)protocol layer provides establishment, configuration, and maintenance ofan RRC connection between a wireless device 104 and the base stations102 or core network 106 supporting radio bearers for the user planedata. At the Physical (PHY) layer, the transport channels are mapped tophysical channels.

As illustrated, the wireless devices 104 are distributed throughout thesystem 100, where each wireless device 104 can be stationary or mobile.A wireless device can be referred to as a mobile station, a subscriberstation, a mobile unit, a subscriber unit, a wireless unit, a remoteunit, a handheld mobile device, a remote device, a mobile subscriberstation, an access terminal, a mobile terminal, a wireless terminal, aremote terminal, a handset, a mobile client, a client, or the like.Examples of a wireless device include user equipment (UE) such as amobile phone, a personal digital assistant (PDA), a wireless modem, ahandheld mobile device (e.g., wireless devices 104-1 and 104-2), atablet computer, a laptop computer (e.g., wireless device 104-3), awearable (e.g., wireless device 104-4). A wireless device can beincluded in another device such as, for example, a drone (e.g., wirelessdevice 104-5), a vehicle (e.g., wireless device 104-6), an augmentedreality/virtual reality (AR/VR) device such as a head-mounted displaydevice (e.g., wireless device 104-7), an IoT device such as an appliancein a home (e.g., wireless device 104-8), or a wirelessly connectedsensor that provides data to a remote server over a network.

A wireless device can communicate with various types of base stationsand network equipment at the edge of a network including macroeNBs/gNBs, small cell eNBs/gNBs, relay base stations, and the like. Awireless device can also communicate with other wireless devices eitherwithin or outside the same coverage area of a base station viadevice-to-device (D2D) communications.

The communication links 114-1 through 114-11 (also referred toindividually as “communication link 114” or collectively as“communication links 114”) shown in system 100 include uplink (UL)transmissions from a wireless device 104 to a base station 102, and/ordownlink (DL) transmissions, from a base station 102 to a wirelessdevice 104. The downlink transmissions may also be called forward linktransmissions while the uplink transmissions may also be called reverselink transmissions. Each communication link 114 includes one or morecarriers, where each carrier can be a signal composed of multiplesub-carriers (e.g., waveform signals of different frequencies) modulatedaccording to the various radio technologies described above. Eachmodulated signal can be sent on a different sub-carrier and carrycontrol information (e.g., reference signals, control channels),overhead information, user data, etc. The communication links 114 cantransmit bidirectional communications using FDD (e.g., using pairedspectrum resources) or TDD operation (e.g., using unpaired spectrumresources). In some embodiments, the communication links 114 include LTEand/or mmW communication links.

In some embodiments of the system 100, the base stations 102 and/or thewireless devices 104 include multiple antennas for employing antennadiversity schemes to improve communication quality and reliabilitybetween base stations 102 and wireless devices 104. Additionally oralternatively, the base stations 102 and/or the wireless devices 104 canemploy multiple-input, multiple-output (MIMO) techniques that may takeadvantage of multi-path environments to transmit multiple spatial layerscarrying the same or different coded data.

In some embodiments, the wireless devices 104 are capable ofcommunicating signals via the LTE network and an mmW system (e.g., aspart of a 5G/NR system). Accordingly, the wireless device 104 cancommunicate with the base station 102 over an LTE link and/or with atransmission point (TP) or base station (BS) over an mmW link. Inanother example, at least one of the base stations 102 communicatessignals via the LTE network and the mmW system over one or morecommunication links 114. As such, a base station 116 may be referred toas an LTE+mmW eNB or gNB or as an LTE+mmW TP/BS/mmW-BS.

FIG. 2 is a block diagram that illustrates an architecture of networkfunctions of a 5G network that can implement aspects of the presenttechnology. A network entity such as a wireless device 202 can accessthe 5G network via a RAN 204, through a NAN such as a gNB. Thearchitecture of the network functions 200 includes an authenticationserver function (AUSF) 216, a unified data management (UDM) 218, anaccess and mobility management function (AMF) 212, a policy controlfunction (PCF) 214, a session management function (SMF) 220, and a userplane function (UPF) 222. The PCF 214 can connect with one or moreapplication functions (AFs) 224. The UPF 222 can connect with one ormore data networks (DNs) 223. The interfaces N1 through N15 define thecommunications and/or protocols between each function or component, asdescribed in relevant standards. The UPF 222 is part of the user planeand the AMF 212, SMF 220, PCF 214, AUSF 216, and UDM 218 are part of thecontrol plane. The UPFs can be deployed separately from control planefunctions and the network functions of the control plane are modularizedsuch that they can be scaled independently.

A UDM introduces the concept of user data convergence (UDC) thatseparates the user data repository (UDR) for storing and managingsubscriber information from the frontend that processes the subscriberinformation. The UDM can employ UDC under 3GPP TS 22.101, which supportsa layered architecture that separates user data from application logicin 3GPP systems. The UDM 218 is associated with a database (not shown)that can contain profile data for subscribers and/or other data that canbe used to authenticate network entities. Given the large number ofwireless devices (e.g., IoT devices) that can connect to the 5G network,the UDM 218 contains voluminous amounts of data that is accessed toauthenticate network entities.

For example, each time that a wireless device seeks to connect to a 5Gnetwork, a UDM receives an indication of a connection request andauthorizes the connection request by authenticating the wireless deviceor associated subscriber based on profile data stored at the UDM. TheUDM can then communicates the authorization to the NAN so that thewireless device can access the 5G network through the NAN.

On-Demand Coupons for Security Service

The network entities of any network are uniquely susceptible tocybersecurity threats due to vulnerabilities and from risks external tothe network entity. For example, the vulnerabilities of a wirelessdevice can include outdated defective hardware or software components.The vulnerabilities of a user can be determined based on user-specificinformation (e.g., age) and/or user preferences. In other examples, thevulnerabilities to a network entity are contextual (e.g., time of day,location). For example, a wireless device with an outdated operatingsystem is vulnerable, especially when operated by a teenager thatregularly searches the internet and engages in unsecureddevice-to-device communications in public locations.

Based on vulnerabilities or risks, the disclosed security system candetect cybersecurity threats to network entities in real-time or nearreal-time and generate coupons that entitle the network entities tosecurity resources that can address the cybersecurity threats. That is,a coupon is generated on-demand to specifically address a cybersecuritythreat to a network entity. The coupon is redeemable by the networkentity by paying a fee for the security resource. Examples of securityresources include software (e.g., a security application) to load on acomputing device of the network entity or a tool to inspect networktraffic to/from the network entity. The coupons can include security andusability features such as a cryptographic key, globally unique ID(GUID), or unique link to cloud-based resources that are accessible onlyby the network entity.

The coupons are effectively a personalized key for a network entity togain timely access to a security resource. Further, the fee can beproportional to the cost of the security resource and/or based on auser's service plans, customer profile information, or contextualinformation. Further still, a coupon could entitle a network entity toaccess a security resource for a limited or predetermined time period.In a typical application, the coupon addresses an immediate and/ortemporary need rather than securing a network entity against a potentialor permanent cybersecurity threat. As such, a coupon is “hot” in that itaddresses an urgent need for a security resource.

A network entity can include one or more wireless devices that canconnect to a wireless network (e.g., endpoint devices). Examples includea group of wireless devices (e.g., smartphones) that are serviced by awireless network. The digital coupon can be embodied as an electronicvoucher that is generated on-demand for a specific network entity. Inother words, a coupon is “network entity specific,” which means thatonly a specific network entity can redeem the coupon and utilize theassociated security resource. In other examples, a coupon is redeemableby a group of network entities or a coupon is non-specific to anynetwork entity. A network entity can redeem a coupon after beingauthenticated. The authentication process can include one or morefactors such as credentials, a passcode, an electronic key, biometricauthentication, etc. As such, the coupon is personalized to safeguard aparticular network entity.

FIG. 3 is a flowchart that illustrates a method 300 performed by asecurity system of a network to prevent cyberattacks on a personalizedbasis. The security system can include one or more network nodesincluding one or more network functions (e.g., as shown in FIG. 2 ). Inone example, the security system is a vulnerability-risk-threat (VRT)system of a 5G network that provides a coupon service on demand based onVRTs metrics. In particular, the security system characterizes (e.g.,labels) network traffic according to a vulnerability parameter relatingto a state or condition of a network element internal to the network andthat is susceptible to a cyberattack; a risk parameter relating to acurrent scope or potential harm of the cyberattack by an externalsource; and a threat parameter relating to a probability or source of afuture cyberattack by an external source.

At 302, the security system can identify a cybersecurity threat to anetwork entity based at least in part on contextual information, a userpreference, or a call detail record associated with the network entity.The contextual information can be obtained from a wireless device of thenetwork entity. For example, the wireless device can supply locationinformation. The security system can retrieve the user preference from aUnified Data Management (UDM) database of the 5G network, and calldetail records can be obtained from a charging system of acommunications network. In one implementation, the security systemidentifies a cybersecurity threat based on a determination that awireless device is being operated in a location that is a hotspot formalicious activity (e.g., an airport); is uploading large volumes ofdata over a cellular network to a cloud network at night despite a userpreference to the contrary; or determine, based on an analysis of a calldetail record, that the user's wireless device is receiving machinegenerated calls (e.g., robocalls).

In some implementations, the security system can identify a risk levelof a cybersecurity threat. In particular, a range of risk levels can beassociated with a cybersecurity threat. For example, the range caninclude a low risk level that requires less protection or is morereadily contained, a medium risk level that requires moderate protection(e.g., more resources), and a high risk level that requires even moreresources to protect the network entity. The security system canidentify a threat level of a cybersecurity threat based on, for example,a most frequently encountered (MFE) and/or most recently encountered(MRE) cybersecurity threat to one or more network entities such as awireless device or a group of multiple wireless devices serviced by a 5Gnetwork. In another example, the security system can identify acybersecurity threat based on a characteristic that is common betweenthe user and a group of one or more other users.

At 304, the security system can determine a fee to charge the user toprotect against the cybersecurity threat. The fee can be determined byanalyzing policies stored at a Policy Control Function (PCF) of a 5Gnetwork. For example, the PCF can include policies that tailor feesbased on subscriber service plan, the geographic locations of thewireless devices, the availability of security resources, etc. Forexample, the fee for a coupon to redeem a computationally intensivesecurity service (e.g., elaborate traffic inspection) could be greaterduring periods of higher network traffic or based on comparable needs ofother network entities.

At 306, the security system can generate the coupon on-demand to protectthe wireless device against the cybersecurity threat. The coupon can begenerated specifically for a network entity or a group of networkentities. As such, only those network entities that are properlyauthenticated can redeem the coupon. For example, the coupon can includesecurity or usability features such as being associated with usercredentials, a passcode, or other authentication factor. In anotherinstance, the coupon can be neutral to network entities and/or have alimited supply or usability. In one example, some or all visitors to avenue (e.g., a concert) can be emailed coupons for security resourcesand be informed that only the first 100 users that redeem the couponwill have access to the security resource during the concert. The couponcan be associated with media (e.g., video, audio, text) that describesthe cybersecurity threat and requests the fee for redeeming the coupon.Moreover, the coupon may only work for a predetermined time period orremain redeemable for another predetermined time period.

At 308, the security system can send the coupon to the wireless deviceover a communications network. For example, the coupon can be anelectronic voucher that is emailed, texted, or otherwise communicatedover a wireless network to a wireless device that is susceptible to thecybersecurity threat. The communication can include cryptographicsecurity data, a globally unique ID (GUID) associated with the user orthe wireless device, and a link to access the software via a 5G network.The form in which the coupon is communicated and how the coupon iscommunicated can depend at least in part on contextual informationrelating to the wireless device and a user preference. For example, auser with a wireless device that only has a cellular connection, and/orprefers to receive text messages rather than emails, can receive couponsin text messages rather than emails.

At 310, the security system can receive an indication that the couponwas accepted, and the fee was paid. In response, the security systemdeploys, by an Access and Mobility Management function (AMF) of a 5Gnetwork, products or security resources to protect against thecybersecurity threat. For example, the security system can push a mobileapp to a mobile device, load the mobile app on the wireless device, andautomatically install the mobile app for immediate use to protectagainst a cybersecurity threat. In another example, the security systemcan cause the wireless device to load a software tool to protect thewireless device against the cybersecurity threat. In yet anotherexample, the security system assigns network resources such as adynamically instantiable firewall for the wireless device. In anotherexample, the security system can use a Session Management Function (SMF)of a 5G network to control inspection of network traffic to/from thewireless device. In a particular example, the cybersecurity threat is anunauthorized phone call to the wireless device. In response the AMFactivates products or resources to protect against the cybersecuritythreat by blocking the unauthorized phone call from the wireless device.

Although the method 300 is described as a processed that is initiatedupon detection of a cybersecurity threat, the process can be initiatedby the network entity. For example, the security system can receive adirect request from a network entity for on-demand protection from apotential or actual cybersecurity threat. The security system can thengenerate an on-demand coupon based on the request and send the couponfor use by the network entity. For example, a user can submit a requestto the security system for added security protection while at anairport. In response, the security system can issue a one-time, limiteduse coupon for the user to redeem upon paying a fee.

The security system can include various features that enhance thesecurity of network entities. For example, the security system cananalyze cybersecurity threats applicable to a network entity and othercybersecurity threats applicable to other network entities. Based on thecollective analysis, the security system can dynamically slice a 5Gnetwork according to the cybersecurity threats. As such, network slicesof the 5G network can depend on the cybersecurity threats, and securityresources can be allocated per network slice. In yet another example, acybersecurity threat along with a risk level can be stored at a databaseof a DNS of a 5G network. In response to identifying network trafficassociated with a cybersecurity threat, the DNS can resolve an IPaddress or URL of the network traffic to issue a coupon associated withresources that can protect a network entity by, for example, blocking orinspecting network traffic of the IP address/URL to/from the networkentity. This technology can be scaled to protect network entitiesautomatically without coupons, as described next.

Multi-Dimensional DNS to Safeguard Network Entities

The security system includes a service that can mitigate the impact ofcyberattacks on network entities or altogether avoid cyberattacks. Theservice is enabled by a DNS, which is a hierarchical and decentralizednaming system for computers, services, or other resources connected tothe internet or another network. The DNS links information with domainnames assigned to each participating source. Most prominently, the DNStranslates readily memorized domain names to numerical IP addresses orURLs needed for locating and identifying computer services and deviceswith the underlying network protocols.

The disclosed multi-dimensional DNS stores data that is used to identifyIP addresses or URLs associated with cybersecurity threats. The DNS mapsvulnerabilities or risks of network entities to potential cybersecuritythreats, which can be detected from network traffic that is routed overthe wireless network. For example, a firewall of the network can detectpotentially malicious network traffic and update the multi-dimensionalDNS to map the source or destination of the network traffic tocybersecurity threats. As such, the security system including, forexample, the firewall, can detect cybersecurity threats based on networktraffic and mitigate the impact on network entities and block thenetwork traffic routed between a vulnerable network entity and a sourceor destination of the network traffic. Thus, the security system cantarget the deployment of security resources to reduce the impact ofcybersecurity threats on network entities.

The DNS is coupled to or includes a database that maps the cybersecuritythreats, network entities, and IP addresses/URLs. However, other networknodes can be configured to perform similar operations. For example, anetwork firewall can be configured to similarly detect cybersecuritythreats. To aid in understanding, however, the examples discussed hereinfocus on using the multi-dimensional DNS. Upon detecting cybersecuritythreats, the security system can perform one or more actions to protectnetwork entities against the cybersecurity threats. For example, thesecurity system can block traffic between a source/destination and anetwork entity. In another example, the security system can deploy aninspection mechanism to inspect network traffic that is routed between asource/destination and the network entity. The inspection mechanism canparse the network traffic to extract indications of malicious data. Anysuspicious data can be re-routed or quarantined elsewhere outside thenetwork to protect against a harmful impact to a network entity.

The actions performed in response to detecting cybersecurity threats canvary according to different metrics. For example, the security systemcan perform different actions based on risk levels associated withcybersecurity threats. The security system can take more aggressiveactions (e.g., block network traffic) for cybersecurity threats thatpose a higher risk compared to those that pose a lower risk (e.g.,inspect but not necessarily block network traffic). In one example, acybersecurity threat that would expose private user data could receiveprioritized safeguards compared to a cybersecurity threat that couldmerely impair the performance of an application. In another example, thesecurity system can protect network entities by categorizing incomingtraffic according to risk levels, dynamically slicing the network basedon the risk levels, and route subsequent network traffic tocorresponding network slices of matching risk levels. As such, securityresources can be assigned per network slice rather than per individualnetwork entities.

FIG. 4 is a flow diagram that illustrates a method 400 performed by asecurity system including a multi-dimensional DNS that preventscyberattacks on network entities. As shown, the method 400 is performedby the security system including one or more network nodes in additionto the DNS that stores mappings between cybersecurity threats, networkentities, IP addresses/URLs, and actions to protect network entities.The one or more network nodes can include any combination of the one ormore network functions that monitor network traffic, detectcybersecurity threats, and perform actions.

At 402, the security system can analyze a vulnerability or riskapplicable to a network entity to identify a cybersecurity threat to thenetwork entity. The security system can analyze various forms andsources of information to identify vulnerabilities or risks of networkentities. Where the network entity includes a wireless device, thesecurity system can compare a property of a hardware component or asoftware component to properties of hardware or software componentsassociated with known vulnerabilities. The security system can thenidentify the cybersecurity threat based on the property of the hardwarecomponent or the software component matching one of the knownvulnerabilities. Where the network entity includes user data associatedwith a wireless device, the security system can compare a characteristicof a user to one or more characteristics of a group of users that areassociated with a known risk. The security system can identify thecybersecurity threat based on a characteristic being common among theuser and the group of users. In another example, the security system cananalyze contextual information relating to the network entity, a userpreference, and/or a call detail record of the network entity. Forexample, a user within an age range, or a wireless device in ageographic location (e.g., at a concert or sporting event), or a userthat receives robocalls can be associated with a security risk.

At 404, the security system can determine a risk level for thecybersecurity threat. The risk level can be selected from a range ofmultiple risk levels. For example, the multiple risk levels can includea low risk level indicating a low risk of the cybersecurity threat, amedium risk level indicating a moderate risk of the cybersecuritythreat, and a high risk level indicating a high risk of thecybersecurity threat. The risk levels enable performing actions ordeployment of security resources at granular levels. For example, thesecurity system can block network traffic designated as high risk,inspect the content of network traffic designated as medium risk, and/ormerely monitor activity of network traffic designated with as low risk.

At 406, the security system can store an indication of the cybersecuritythreat and associated risk level in a database of a DNS that iscommunicatively coupled to the network. That is, the security systemadds dimensions to the DNS so that the IP addresses or URLs obtained ofthe DNS can be used to address cybersecurity threats. For example, thesecurity system can label an IP address as a potential source ordestination of the cybersecurity threat for a type of network entity.Other dimensions of data stored at the DNS include risk levelsassociated with cybersecurity threats, and/or IP addresses or URLs.Thus, the DNS is enriched with data built on existing data to enable thedescribed security technology. The multi-dimensional data can be storedon one or more tables or in other data structures that map cybersecuritythreats, network entities, IP addresses/URLs, actions, etc. Thestructure of the multi-dimensional DNS can include a modifiedconventional DNS that includes a database with the data required todetect and thwart cybersecurity threats and/or couple to a firewall thatenables using the DNS to detect or thwart cybersecurity threats. Inanother example, the multi-dimensional DNS is configured specifically toperform the security techniques described herein.

At 408, network traffic is normally routed over the network between thenetwork entities and sources or destinations with particular IPaddresses or URLs. The security system can monitor (e.g., with acomputing resource) the network traffic routed via the network forcybersecurity threats. The network nodes can include computing resourcesto monitor the network traffic at an edge of the network, upstream atnetwork access nodes, or further upstream at core nodes of the network.

At 410, the security system can use the multi-dimensional DNS to resolvethe network traffic and determine an IP address or URL of a source or adestination of the network traffic associated with a cybersecuritythreat. That is, the DNS serves as an index for the network bytranslating human-friendly computer hostnames into IP addresses. Forexample, the domain name www.example.com translates to the addresses93.184.216.34 (IPv4) or 2606:2800:220:1:248:1893:25c8:1946 (IPv6).

At 412, in response to the determination that the network traffic isassociated with the cybersecurity threat, the security system can mapthe cybersecurity threat to the IP address or the URL of the source orthe destination of the network traffic. For example, the DNS can resolvean IP address of a URL or use the URL to identify a particularcybersecurity threat for a particular network entity, associated with aparticular risk level. This information can be processed to determinesuitable protection for a network entity, as described next.

At 414, the security system can protect the network entity from thecybersecurity threat by processing network traffic of the IP address/URLstored in the DNS in accordance with a security procedure of a SessionManagement Function (SMF). The security procedure can be selected fromamong multiple security procedures based on a risk level of acybersecurity threat. The security procedure can include performing anaction such as blocking network traffic routed to/from the IP addressand the network entity. In another example, the action can includeinstantiating an inspection mechanism to inspect the network trafficrouted to/from a URL and the network entity. The security system canre-route any of the network traffic associated with a cybersecuritythreat to a containment area. In another example, the security systemcan dynamically allocate a computing resource to inspect or process somenetwork traffic at a moderate risk level and block other network trafficat a high risk level.

In one implementation, the security procedure is selected based oncontextual information such as a time of day in which the networktraffic is processed or a geographic location of a source or adestination of the network traffic. As such, the security procedure canbe personalized for contextual information in addition to using otherinformation about the network entity. This enables another way to deploylimited security resources in a manner that can maximize the impact ofthose resources to safeguard network entities. The security procedurecan also include a process to categorize network traffic according tothe multiple risk levels and dynamically create a network slice of thenetwork for each risk level. The security system can then directportions of the subsequent network traffic to corresponding networkslices having matching risk levels. This configuration provides yetanother way to deploy resources in a manner that can provide maximumsafeguards with limited resources.

Computer System

FIG. 5 is a block diagram that illustrates an example of a computersystem 500 in which at least some operations described herein can beimplemented. For example, components of the system 100 and componentsdiscussed with respect to FIGS. 2-4 can include or host components ofthe computing system 500.

As shown, the computer system 500 can include one or more processors502, main memory 506, non-volatile memory 510, a network interfacedevice 512, video display device 518, an input/output device 520, acontrol device 522 (e.g., keyboard and point device), a drive unit 524that includes a storage medium 526, and a signal generation device 530that are communicatively connected to a bus 516. The bus 516 representsone or more physical buses and/or point-to-point connections that areconnected by appropriate bridges, adapters, or controllers. The bus 516therefore can include a system bus, a Peripheral Component Interconnect(PCI) bus or PCI-Express bus, a HyperTransport or industry standardarchitecture (ISA) bus, a small computer system interface (SCSI) bus, auniversal serial bus (USB), IIC (I2C) bus, or an Institute of Electricaland Electronics Engineers (IEEE) standard 1394 bus (also referred to as“Firewire”). Various common components (e.g., cache memory) are omittedfrom FIG. 5 for brevity. Instead, the computer system 500 is intended toillustrate a hardware device on which components illustrated ordescribed relative to the examples of FIGS. 1-4 and any other componentsdescribed in this specification can be implemented.

The computer system 500 can take any suitable physical form. Forexample, the computing system 500 may share a similar architecture asthat of a personal computer (PC), tablet computer, mobile telephone,game console, music player, wearable electronic device,network-connected (“smart”) device (e.g., a television or home assistantdevice), AR/VR systems (e.g., head-mounted display), or any electronicdevice capable of executing a set of instructions that specify action(s)to be taken by the computing system 500. In some embodiment, thecomputer system 500 can be an embedded computer system, a system-on-chip(SOC), a single-board computer system (SBC) or a distributed system suchas a mesh of computer systems or include one or more cloud components inone or more networks. Where appropriate, one or more computer systems500 can perform operations in real-time, near real-time, or in batchmode.

The processor 502 can be, for example, a central processing unit, aconventional microprocessor (e.g., Intel Pentium processor). The memory(e.g., main memory 506, non-volatile memory 510, machine-readable medium526) can be local, remote, or distributed. Although shown as singlemedium, the machine-readable medium 526 can include multiple media(e.g., a centralized/distributed database and/or associated caches andservers) that store one or more sets of instructions 528. Themachine-readable (storage) medium 526 can include any medium that iscapable of storing, encoding, or carrying a set of instructions forexecution by the computing system 500. One of skill in the relevant artwill recognize that the machine-readable medium 526 can include any typeof medium that is accessible by the processor. The machine-readablemedium 526 can be non-transitory or comprise a non-transitory device. Inthis context, a non-transitory storage medium can include a device thatis tangible, meaning that the device has a concrete physical form,although the device can change its physical state. Thus, for example,non-transitory refers to a device remaining tangible despite this changein state.

In general, the routines executed to implement the embodiments of thedisclosure may be implemented as part of an operating system or aspecific application, component, program, object, module, or sequence ofinstructions (collectively referred to as “computer programs”). Thecomputer programs typically comprise one or more instructions (e.g.,instructions 504, 508, 528) set at various times in various memory andstorage devices in computing device(s). When read and executed by theprocessor 502, the instruction(s) cause the computing system 500 toperform operations to execute elements involving the various aspects ofthe disclosure.

Although embodiments have been described in the context of fullyfunctioning computing devices, the various embodiments are capable ofbeing distributed as a program product in a variety of forms. Examplesof machine-readable storage media, machine-readable media, orcomputer-readable media include recordable-type media such as volatileand non-volatile memory devices 510, removable flash memory, hard diskdrives, optical disks, and transmission-type media such as digital andanalog communication links.

Software is typically stored in the non-volatile memory and/or the driveunit 524. When software is moved to the memory for execution, theprocessor 502 will typically make use of hardware registers to storevalues associated with the software, and local cache that, ideally,serves to speed up execution. As used herein, a software program isassumed to be stored at any known or convenient location (e.g.,non-volatile storage, hardware registers) when the software program isreferred to as “implemented in a computer-readable medium.” A processorcan be “configured to execute a program” when at least one valueassociated with the program is stored in a register readable by theprocessor.

The network interface device 512 enables the computing system 500 tomediate data in a network 514 with an entity that is external to thecomputing system 500 through any communication protocol supported by thecomputing system 500 and the external entity. Examples of the networkinterface device 512 include a network adaptor card, a wireless networkinterface card, a router, an access point, a wireless router, a switch,a multilayer switch, a protocol converter, a gateway, a bridge, bridgerouter, a hub, a digital media receiver, and/or a repeater.

Further, the interface device 512 can include a firewall that governsand/or manages permission to access/proxy data in a computer network andtracks varying levels of trust between different machines and/orapplications. The firewall can be any number of modules having anycombination of hardware and/or software components able to enforce apredetermined set of access rights between a particular set of machinesand applications, machines and machines, and/or applications andapplications (e.g., to regulate the flow of traffic and resource sharingbetween these entities). The firewall may additionally manage and/orhave access to an access control list that details permissions includingthe access and operation rights of an object by an individual, amachine, and/or an application, and the circumstances under which thepermission rights stand.

Examples of the I/O devices 520 include a keyboard, a mouse or otherpointing device, disk drives, printers, a scanner, and other inputand/or output devices, including a display device. Examples of thedisplay device 518 can include a cathode ray tube (CRT), liquid crystaldisplay (LCD), or any display device.

In operation, the computer system 500 can be controlled by operatingsystem software that includes a file management system, such as a diskoperating system. One example of operating system software withassociated item management system software is the family of operatingsystems known as Windows® from Microsoft Corporation of Redmond, Wash.,and their associated item management systems. Another example ofoperating system software with its associated item management systemsoftware is the Linux™ operating system and its associated itemmanagement system. The item management system is typically stored in thenon-volatile memory and/or drive unit and causes the processor toexecute the various acts required by the operating system to input andoutput data and to store data in the memory, including storing items onthe non-volatile memory and/or drive unit.

The techniques introduced here can be implemented by programmablecircuitry (e.g., one or more microprocessors), software and/or firmware,special-purpose hardwired (i.e., non-programmable) circuitry, or acombination of such forms. Special-purpose circuitry can be in the formof one or more application-specific integrated circuits (ASICs),programmable logic devices (PLDs), field-programmable gate arrays(FPGAs), etc.

Some portions of the detailed description can be presented in terms ofalgorithms and symbolic representations of operations on data bitswithin a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm can refer to aself-consistent sequence of operations leading to a desired result. Theoperations are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the following discussion,it is appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or “generating” or the like, refer to theaction and processes of a computer system, or similar electroniccomputing device, that manipulates and transforms data represented asphysical (electronic) quantities within the computer system's registersand memories into other data similarly represented as physicalquantities within the computer system memories or registers or othersuch information storage, transmission or display devices.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general purposesystems can be used with programs in accordance with the teachingsherein, or it can prove convenient to construct more specializedapparatus to perform the methods of some embodiments. The requiredstructure for a variety of these systems will appear from thedescription below. In addition, the techniques are not described withreference to any particular programming language, and variousembodiments can thus be implemented using a variety of programminglanguages.

In some circumstances, operation of a memory device, such as a change instate from a binary one to a binary zero or vice-versa, for example, cancomprise a transformation, such as a physical transformation. Withparticular types of memory devices, such a physical transformation cancomprise a physical transformation of an article to a different state orthing. For example, but without limitation, for some types of memorydevices, a change in state can involve an accumulation and storage ofcharge or a release of stored charge. Likewise, in other memory devices,a change of state can comprise a physical change or transformation inmagnetic orientation or a physical change or transformation in molecularstructure, such as from crystalline to amorphous or vice versa. Theforegoing is not intended to be an exhaustive list in which a change instate for a binary one to a binary zero or vice-versa in a memory devicecan comprise a transformation, such as a physical transformation.Rather, the foregoing is intended as illustrative examples.

Remarks

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense; that is to say, in the sense of“including, but not limited to.” As used herein, the terms “connected,”“coupled,” or any variant thereof means any connection or coupling,either direct or indirect, between two or more elements; the coupling orconnection between the elements can be physical, logical, or acombination thereof. Additionally, the words “herein,” “above,” “below,”and words of similar import can refer to this application as a whole andnot to any particular portions of this application. Where the contextpermits, words in the above Detailed Description using the singular orplural number may also include the plural or singular numberrespectively. The word “or” in reference to a list of two or more itemscovers all of the following interpretations of the word: any of theitems in the list, all of the items in the list, and any combination ofthe items in the list.

While specific examples of technology are described above forillustrative purposes, various equivalent modifications are possiblewithin the scope of the invention, as those skilled in the relevant artwill recognize. For example, while processes or blocks are presented ina given order, alternative implementations may perform routines havingsteps, or employ systems having blocks, in a different order, and someprocesses or blocks may be deleted, moved, added, subdivided, combined,and/or modified to provide alternative or sub-combinations. Each ofthese processes or blocks may be implemented in a variety of differentways. Also, while processes or blocks are at times shown as beingperformed in series, these processes or blocks may instead be performedor implemented in parallel, or may be performed at different times.Further, any specific numbers noted herein are only examples such thatalternative implementations can employ differing values or ranges.

Details of the disclosed embodiments may vary considerably in specificimplementations while still being encompassed by the disclosedteachings. As noted above, particular terminology used when describingcertain features or aspects of the invention should not be taken toimply that the terminology is being redefined herein to be restricted toany specific characteristics, features, or aspects of the invention withwhich that terminology is associated. In general, the terms used in thefollowing claims should not be construed to limit the invention to thespecific examples disclosed in the specification, unless the aboveDetailed Description explicitly defines such terms. Accordingly, theactual scope of the invention encompasses not only the disclosedexamples, but also all equivalent ways of practicing or implementing theinvention under the claims. Some alternative implementations can includeadditional elements to those implementations described above or includefewer elements.

Any patents and applications and other references noted above, and anythat may be listed in accompanying filing papers, are incorporatedherein by reference in their entireties, except for any subject matterdisclaimers or disavowals, and except to the extent that theincorporated material is inconsistent with the express disclosureherein, in which case the language in this disclosure controls. Aspectsof the invention can be modified to employ the systems, functions, andconcepts of the various references described above to provide yetfurther implementations of the invention.

To reduce the number of claims, certain embodiments are presented belowin certain claim forms, but the applicant contemplates various aspectsof an invention in other forms. For example, aspects of a claim can berecited in a means-plus-function form or in other forms, such as beingembodied in a computer-readable medium. A claim intended to beinterpreted as a mean-plus-function claim will begin with the words“means for.” However, the use of the term “for” in any other context isnot intended to invoke a similar interpretation. The applicant reservesthe right to pursue such additional claim forms in either thisapplication or in a continuing application.

I claim:
 1. At least one computer-readable storage medium, excludingtransitory signals and carrying instructions, which, when executed by atleast one data processor of a security system, cause the security systemto: analyze a vulnerability or a risk applicable to a network entity ofa 5G network to identify a cybersecurity threat to the network entity;determine a risk level of the cybersecurity threat, wherein the risklevel is selected from multiple risk levels, store an indication of thecybersecurity threat and the risk level of the cybersecurity threat in adatabase of a Domain Name System (DNS) that is communicatively coupledto the 5G network; monitor, by a computing resource of the securitysystem, network traffic routed via the 5G network for the cybersecuritythreat; resolve, with the DNS, the network traffic associated with thecybersecurity threat to determine an IP address or a URL of a source ora destination of the cybersecurity threat; in response to thedetermination of the IP address or URL associated with the cybersecuritythreat to the network entity, map the cybersecurity threat to the IPaddress or the URL of the source or the destination and the networkentity at the DNS; categorize subsequent network traffic according tothe multiple risk levels; dynamically create a network slice of the 5Gnetwork for each of the multiple risk levels; redirect portions of thesubsequent network traffic to corresponding network slices of the 5Gnetwork associated with matching risk levels; and protect the networkentity from the cybersecurity threat by processing the subsequentnetwork traffic of the IP address or the URL in accordance with asecurity procedure of a Session Management Function (SMF) of the 5Gnetwork, wherein the security procedure is selected from among multiplesecurity procedures based on the risk level associated with thecybersecurity threat to the network entity.
 2. The at least onecomputer-readable storage medium of claim 1, wherein execution of thesecurity procedure causes the security system to: block the subsequentnetwork traffic routed between the source of the destination associatedwith the IP address or the URL and the network entity.
 3. The at leastone computer-readable storage medium of claim 1, wherein execution ofthe security procedure causes the security system to: inspect thesubsequent network traffic routed between the source of the destinationassociated with the IP address or the URL and the network entity; andre-route the inspected network traffic associated with the risk level toa containment area of the 5G network.
 4. The at least onecomputer-readable storage medium of claim 1, wherein the security systemis further caused to: dynamically allocate security resources of the 5Gnetwork to inspect a first network traffic at a first risk level and toblock a second network traffic at a second risk level greater than thefirst risk level.
 5. The at least one computer-readable storage mediumof claim 1, wherein the security procedure is selected from among themultiple security procedures based additionally on contextualinformation associated with the network entity, and wherein thecontextual information includes a time of day in which the subsequentnetwork traffic is communicated and a geographic location of a source ora destination of the subsequent network traffic.
 6. The at least onecomputer-readable storage medium of claim 1, wherein the network entityincludes a wireless device and associated user, and wherein analysis ofthe vulnerability or the risk causes the security system to: analyzecontextual information relating to the wireless device of the networkentity, a user preference of the network entity, and a call detailrecord associated with the network entity.
 7. The at least onecomputer-readable storage medium of claim 1, wherein the network entityincludes a wireless device, and wherein analysis of the vulnerability orthe risk causes the security system to: compare a property of a hardwarecomponent or a software component of the wireless device to propertiesof hardware or software components associated with knownvulnerabilities; and identify the cybersecurity threat based on theproperty of the hardware component or the software component matchingone of the properties with the known vulnerabilities.
 8. The at leastone computer-readable storage medium of claim 1, wherein the networkentity includes a wireless device and associated user, analysis of thevulnerability or the risk causes the security system to: compare acharacteristic of the user to one or more characteristics of a group ofusers that are associated with a known risk; and identify thecybersecurity threat based on the characteristic being common among theuser and the group of users.
 9. The at least one computer-readablestorage medium of claim 1, wherein the multiple risk levels include alow risk level indicating a low risk of the cybersecurity threat, amedium risk level indicating a moderate risk of the cybersecuritythreat, and a high risk level indicating a high risk of thecybersecurity threat, and wherein protection of the network entity fromthe cybersecurity threat causes the security system to: block anynetwork traffic designated with the high risk level; inspect any networktraffic designated with the medium risk level; and monitor any networktraffic designated with the low risk level.
 10. The at least onecomputer-readable storage medium of claim 1, wherein to store theindication of the cybersecurity threat and the risk level in a databaseof the DNS includes causing the system to: label the IP address or theURL as a potential source or a potential destination of thecybersecurity threat.
 11. The at least one computer-readable storagemedium of claim 1, wherein the computing resource that monitors thenetwork traffic is located at a network access node of the 5G network.12. The at least one computer-readable storage medium of claim 1,wherein the computing resource that monitors the network traffic islocated at a core node of the 5G network.
 13. The at least onecomputer-readable storage medium of claim 1, wherein the risk levelassociated with the cybersecurity threat to the network entity for isbased in part on a most frequently encountered (MFE) cybersecuritythreat to the network entity.
 14. A security system comprising: a dataprocessor; and a memory including instructions which, when executed bythe data processor, cause the security system to: store an indication ofa cybersecurity threat in a database of a Domain Name System (DNS) thatis communicatively coupled to a 5G network; detect the cybersecuritythreat associated with network traffic routed via the 5G network;resolve, with the DNS, an IP address or a URL of the network traffic todetermine a source or a destination of the cybersecurity threat; map thecybersecurity threat to the IP address or the URL of the source or thedestination of the network traffic; protect a wireless devicesusceptible to the cybersecurity threat by processing subsequent networktraffic of the IP address or the URL in accordance with a securityprocedure; categorize the subsequent network traffic according tomultiple risk levels; dynamically create a network slice of the 5Gnetwork for each of the multiple risk levels; and redirect portions ofthe subsequent network traffic to corresponding network slices of the 5Gnetwork associated with matching risk levels.
 15. The system of claim14, wherein the wireless device is susceptible to the cybersecuritythreat based on a hardware component of the wireless device.
 16. Thesystem of claim 14, wherein the wireless device is susceptible to thecybersecurity threat based on a software component of the wirelessdevice.
 17. The system of claim 14, wherein the security procedure isperformed by a Session Management Function (SMF) of the 5G network. 18.A method of preventing cyberattacks in a 5G network, the methodcomprising: analyzing vulnerabilities and risks applicable to one ormore network entities to identify cybersecurity threats to the one ormore network entities, wherein the one or more network entities areassociated with wireless devices communicatively coupled to the 5Gnetwork; determining multiple risk levels of the cybersecurity threats;storing indications of the cybersecurity threats and the multiple risklevels of the cybersecurity threats in a database of a Domain NameSystem (DNS) that is communicatively coupled to the 5G network;monitoring, by a computing resource of the 5G network, network trafficrouted via the 5G network for the cybersecurity threats; categorizingsubsequent network traffic according to the multiple risk levels;dynamically creating a network slice of the 5G network for each of themultiple risk levels; redirecting portions of the subsequent networktraffic to corresponding network slices of the 5G network associatedwith matching risk levels; in response to the network traffic relatingto one of the cybersecurity threats being resolved by the DNS, mappingthe one of the cybersecurity threats to an IP address or a URL of thenetwork traffic; and protecting the one or more network entities fromthe one of the cybersecurity threats by blocking or inspecting, by aSession Management Function (SMF) of the 5G network, the traffic beingrouted to or from the IP address or the URL.
 19. The method of claim 18further comprising: dynamically allocating computing resources of the 5Gnetwork to inspect and block traffic based at least in part on the risklevel, a time of day, and a geographic location.
 20. The method of claim18, wherein analyzing vulnerabilities and risks applicable to the one ormore network entities comprises: analyzing contextual informationrelating to wireless devices associated with the one or more networkentities, user preferences associated with the one or more networkentities, and call detail records associated with the one or morenetwork entities.